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This paper presents a bisimulation-based method for establishing the soundness of equations be- 
tween terms constructed using operations whose semantics is specified by rules in the GSOS format 
of Bloom, Istrail and Meyer. The method is inspired by de Simone's FH-bisimilarity and uses tran- 
sition rules as schematic transitions in a bisimulation-like relation between open terms. The sound- 
ness of the method is proven and examples showing its applicability are provided. The proposed 
bisimulation-based proof method is incomplete, but the article offers some completeness results for 
restricted classes of GSOS specifications. 

1 Introduction 

Equations play a fundamental role in the development of the theory and practice of process calculi and 
programming languages since they offer a mathematically appealing and concise way of stating the 'laws 
of programming' (to borrow the title of a paper by Hoare et al. [22]) that apply to the language at hand. 
In the setting of process calculi, the study of equational axiomatizations of behavioural relations has 
been a classic area of investigation since, e.g., the early work of Hennessy and Milner EUl |25ll , who 
offered complete axiom systems for bisimilarity [30] over the finite and regular fragments of Milner's 
CCS [26]. Such axiomatizations capture the essence of bisimilarity over those fragments of CCS in 
a syntactic, and often revealing, way and potentially pave the way for the verification of equivalences 
between processes by means of theorem proving techniques. Despite these early achievements, the 
search for axiomatizations of process equivalences that are powerful enough to establish all the valid 
equations between open process terms — that is, terms possibly containing variables — has proven to be a 
very difficult research problem; see Q for a survey of results in this area. For instance, to the best of our 
knowledge, there is no known axiomatization of bisimilarity over recursion-free CCS that is complete 
over open terms. Stepping stones towards such a result are offered in, e.g., EHH. 

The most basic property of any equation is that it be sound with respect to the chosen notion of 
semantics. Soundness proofs are often lengthy, work-intensive and need to be carried out for many equa- 
tions and languages. It is therefore not surprising that the development of general methods for proving 
equivalences between open terms in expressive process calculi has received some attention since the 
early developments of the algebraic theory of processes — see, e.g., the references JT2ll23ll32l[34ll35l for 
some of the work in this area over a period of over 20 years. This article offers a contribution to this line 
of research by developing a bisimulation-based method, which we call rule-matching bisimilarity, for 
establishing the soundness of equations between terms constructed using operations whose semantics 
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is specified by rules in the GSOS format of Bloom, Istrail and Meyer iTTTIl . Rule-matching bisimilar- 
ity is inspired by de Simone's FH-bisimilarity j34l and uses transition rules as transition schemas in a 
bisimulation-like relation between open terms. We prove that rule-matching bisimilarity is a sound proof 
method for showing the validity of equations with respect to bisimilarity and exhibit examples witnessing 
its incompleteness. 

The incompleteness of rule-matching bisimilarity is not unexpected and raises the question whether 
the method is powerful enough to prove the soundness of 'interesting' equations. In order to offer a 
partial answer to this question, we provide examples showing the applicability of our proof method. In 
particular, our method does not only apply to a more expressive rule format than the one proposed by 
de Simone in [34], but is also a sharpening of de Simone's FH-bisimilarity over de Simone languages. 
See Section [6j where we apply rule-matching bisimilarity to prove the soundness of the equations in 
de Simone's 'clock example'. (This example was discussed by de Simone in P4l to highlight the in- 
completeness of FH-bisimilarity.) On the theoretical side, we also offer some completeness results for 
restricted classes of GSOS specifications. 

Overall, we believe that, while our conditions are neither necessary nor in general can they be 
checked algorithmically, they frequently hold, and they are more accessible to machine support than 
a direct proof of soundness. 

The paper is organized as follows. Sections [2] and [3] introduce the necessary preliminaries on the 
GSOS rule format that are needed in the reminder of the paper. In particular, Section|3]recalls the notion 
of ruloid, which plays a key role in the technical developments to follow. In Section |4j we introduce 
a simple logic of transition formulae and establish a decidability result for the validity of implications 
between formulae. Implication between certain kinds of transition formulae that are naturally associated 
with the premises of (sets of) ruloids is used in the definition of rule-matching bisimilarity in Section [5] 
In that section, we prove that rule-matching bisimilarity is a sound method for showing the validity of 
equations in GSOS languages modulo bisimilarity and exhibit examples witnessing its incompleteness. 
We apply rule-matching bisimilarity to show the validity of some sample equations from the literature 
on process algebra in Section [6] We then offer some partial completeness results for rule-matching 
bisimilarity (Section[7]>. The paper concludes with a discussion of related and future work (Section[8j>. 

2 Preliminaries 

We assume familiarity with the basic notation of process algebra and structural operational semantics; 
see e.g. EJ QO HI EES IS Ell M W\ ED for more details. 

Let Var be a countably infinite set of process variables with typical elements x,y. A signature L 
consists of a set of operation symbols, disjoint from Var, together with a function arity that assigns a 
natural number to each operation symbol. The set TT(£) of terms built from the operations in £ and the 
variables in Var is defined in the standard way. We use P, Q, ... to range over terms and the symbol = for 
the relation of syntactic equality on terms. We denote by T(E) the set of closed terms over Z, i.e., terms 
that do not contain variables, and will use p,q, . . . to range over it. An operation symbol / of arity will 
be often called a constant symbol, and the term /() will be abbreviated as /. 

Besides terms we have actions, elements of some given nonempty, finite set Act, which is ranged 
over by a,b,c,d. A positive transition formula is a triple of two terms and an action, written P — > P'. A 
negative transition formula is a pair of a term and an action, written P -t*. 

A (closed) 'L-substitution is a function a from variables to (closed) terms over the signature £. For t a 
term or a transition formula, we write to for the result of substituting o(x) for each x occurring in t, and 
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vars(?) for the set of variables occurring in t. A L-context C[x] is a term in which at most the variables x 
appear. C[P] is C[x] with x, replaced by Pj wherever it occurs. 

Definition 2.1 [GSOS Rule] Suppose £ is a signature. A GSOS rule p over £ is a rule of the form: 



where all the variables are distinct, > 0, a,y, bik, and c are actions, / is an operation symbol from £ 
with arity /, and C[jc,y] is a £-context. 

It is useful to name components of rules. The operation symbol / is the principal operation of the 
rule, and the term f(x) is the source. C[x,y\ is the target; c is the action; the formulae above the line 
are the antecedents (sometimes denoted by ante(p)); and the formula below the line is the consequent 
(sometimes denoted by cons(p)). 

For a GSOS rule p, SV(p) and TV(p) are the sets of source and target variables of p; that is, SV(p) 
is the set of variables in the source of p, and TV(p) is the set of y's for antecedents x A y. 

Definition 2.2 A GSOS language is a pair G = (Lg,Rg) where £g is a finite signature and Rq is a finite 
set of GSOS rules over Eg. 

Informally, the intent of a GSOS rule is as follows. Suppose that we are wondering whether f(P) is 
capable of taking a c-step. We look at each rule with principal operation / and action c in turn. We 
inspect each positive antecedent x, —> y,y, checking if Pj is capable of taking an a^-step for each j and 
if so calling the a,y-children Qjj. We also check the negative antecedents; if Pi is mcapable of taking a 
%-step for each k. If so, then the rule fires and f(P) A C[P, Q\. This means that the transition relation 
— >g associated with a GSOS language G is the one defined by the rules using structural induction over 
closed £(7-terms. This transition relation is the unique sound and supported transition relation. Here 
sound means that whenever a closed substitution a 'satisfies' the antecedents of a rule of the form ([T]), 
written — >q, a |= ante(p), then f(x\ ,x/)a — >g C[x,y\a. On the other hand, supported means that 
any transition p Ag q can be obtained by instantiating the conclusion of a rule p of the form with a 
substitution that satisfies its premises. In that case, we say that p q is supported by p. A rule p is 
junk in G if it does not support any transition in —*q. We refer the interested reader to ifTTTl for the precise 
definition of — >g and much more information on GSOS languages. 

For each closed term p, we define init(p) = {a£ Act | 3q : p Ag q}- For a GSOS language G, we 
let wi*(T(£ G )) = {init(p) \ p £ T(£ G )}. 

The basic notion of equivalence among terms of a GSOS language we will consider in this paper is 
bisimulation equivalence l|2"6ll3"0ll . 

Definition 2.3 Suppose G is a GSOS language. A binary relation ~ C T(£g) x T(£g) over closed terms 
is a bisimulation if it is symmetric and p ~ q implies, for all a G Act, 

If p Ac p' then, for some q', q Ag q' and p' ~ q'. 

We write p ±± G q if there exists a bisimulation ~ relating p and q. The subscript G is omitted when it is 
clear from the context. 




(1) 



/(xi,...,x/) Ac[x,y] 
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It is well known that ±± G is a congruence for all operation symbols fofG ifTTl . 

Let Bisim(G) denote the quotient algebra of closed Zc-terms modulo bisimulation. Then, for P,Q E 

T(E G ), 

Bisim(G) |= P = 2 44> (V closed £ G -substitutions a : Pa ±± G Qo). 

In what follows, we shall sometimes consider equations that hold over all GSOS languages that extend a 
GSOS language G with new operation symbols and rules for the new operations. The following notions 
from [2] put these extensions on a formal footing. 

Definition 2.4 A GSOS language G' is a disjoint extension of a GSOS language G if the signature and 
rules of G' include those of G, and G' introduces no new rules for operations of G. 

If G' disjointly extends G then G' introduces no new outgoing transitions for the closed terms of G. This 
means in particular that P ±± G Q iff P ±± G , Q, for P,Q € T(L G ). (More general conservative extension 
results are discussed in, e.g., |[T5ll29l .') 

For G a GSOS language, let BISIM(G) stand for the class of all algebras Bisim(G'), for G' a disjoint 
extension of G. Thus we have, for P, Q G Y(L G ), 

BISIM(G) |= P = Q O (VG ; : G' a disjoint extension of G => Bisim(G') \= P = Q). 

Checking the validity of a statement of the form Bisim(G) |= P = Q or BISIM(G) |= P = Q according 
to the above definition is at best very impractical, as it involves establishing bisimilarity of all closed 
instantiations of the terms P and Q. It would thus be helpful to have techniques that use only information 
obtainable from these terms and that can be used to this end. The development of one such technique 
will be the subject of the remainder of this paper. 

Eliminating Junk Rules Note that the definition of a GSOS language given above does not exclude 
junk rules, i.e., rules that support no transition in — >g- For example, the rule 

a a 

x — > y, x-» 
/to 4/0) 

has contradictory antecedents and can never fire. Also it can be the case that a (seemingly innocuous) 
rule like 

a 

/to $ f(y) 

does not support any transition if — >g contains no a-transitions. The possible presence of junk rules does 
not create any problems in the development of the theory of GSOS languages as presented in [21 [Til and 
the authors of those papers saw no reason to deal with these rules explicitly. 

Our aim in this paper is to develop a test for the validity of equalities between open terms in GSOS 
languages. The test we shall present in later sections is based upon the idea of using GSOS rules as 
'abstract transitions' in a bisimulation-like equivalence between open terms. In order to ease the applica- 
bility of this method, it is thus desirable, albeit not strictly necessary, to eliminate junk rules from GSOS 
languages, as these rules would be interpreted as 'potential transitions' from a term which, however, 
cannot be realized. 

Consider, for example, the trivial GSOS language TRIV with unary operations / and g, and rule 



/to A /(x) 
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It is immediate to see that Bisim(TRIV) |= f(x) = g(y) as the set of closed terms in TRIV is empty. 
However, if we considered the rule for / as a transition from f(x) in a simple-minded way, we would be 
led to distinguish f(x) and g(y) as the former has a transition while the latter does not. Obviously, the 
rule for / given above is junk. 

Clearly junk rules can be removed from a GSOS language G without altering the associated transition 
relation. Of course, in order to be able to remove junk rules from a GSOS language, we need to be able to 
discover effectively what rules are junk. This is indeed possible, as the following theorem, due to Aceto, 
Bloom and Vaandrager [Theorem 5.22] Q, shows. 

Theorem 2.1 Let G = (Lg,Rg) De a GSOS language. Suppose that p G Rg- Then it is decidable whether 
p is junk in G. 

As a consequence of the above theorem, all the junk rules in a GSOS language can be effectively removed 
in a pre-processing step before applying the techniques described in the subsequent sections. Thus we 
will henceforth restrict ourselves to GSOS languages without junk rules. 

3 Ruloids and the Operational Specification of Contexts 

As mentioned above, the essence of our method for checking the validity of equations in GSOS languages 
is to devise a variation on bisimulation equivalence between contexts which considers GSOS rules as 
transitions. For primitive operations in a GSOS language G, the rules in Rg will be viewed as abstract 
transitions from terms of the form f(x). However, in general, we will be dealing with complex contexts 
in T(£g)- m order to apply our ideas to general open terms, we will thus need to associate with arbitrary 
contexts a set of derived rules (referred to as ruloids ifTTI ) describing their behaviour. 
A ruloid for a context D[x\, with x = (jci , . . . ,x/), takes the form: 

U=i [*i ^ ytj\l < J < m} U U|=i {*« & |1 < k < rii 
D[x]^C[x,y] 

where the variables are distinct, m,-,n,- > 0, ay, b^, and c are actions, and C[3c,y] is a Z-context. 

Definition 3.1 A set of ruloids R is swpporfm^for a context D[x] and action c iff all the consequents of 
ruloids in R are of the form D[x] A C[jc,y], and whenever D[P] A p, there are a ruloid p G R and a closed 
substitution a such that cons(p)a = D[P] — > p and —*g, & 1= ante(p). 

The following theorem is a slightly sharpened version of the Ruloid Theorem in ifTTTl . 

Theorem 3.1 [Ruloid Theorem] Let G be a GSOS language and X C Var be a finite set of variables. For 
each D[x] G TT(£g) and action c, there exists a finite set Rp c of ruloids of the form ^ such that: 

1. the ruloids in Rp c are sound and supporting for D[x\, and 

2. for every p G Rd,c, TV(p) nX = 0. 

'Our terminology departs slightly from that of (11|. Bloom, Istrail and Meyer use 'specifically witnessing' in lieu of 
'supporting'. 



(2) 
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Proof: A straightforward adaptation of the proof of the corresponding result in ifTTl . where we take care 
in choosing the target variables in ruloids so that condition 2 in the statement of the theorem is met. □ 



Definition 3.2 Let G be a GSOS language. For each D[x] £ T(£g)> the ruloid set of D[x], notation 



Rc(D[x}), is the union of the sets Rq c given by Theorem 3.1 



The import of the Ruloid Theorem is that the operational semantics of an open term P can be described 
by a finite set Rg{P) of derived GSOS-like rules. Examples of versions of the above result for more 
expressive formats of operational rules may be found in, e.g., the references lfT0l[T6l . 

Example 3.1 Consider a GSOS language G containing the sequencing operation specified by the fol- 
lowing rules (one such pair of rules for each a G Act). 



(3) 



xAz x-+> (V&€ Act),)>4z 

0, a 

x;y^z;y x;y^-z 
Let R[x,y,z] = x; (y;z) and L[jc,y,z] = (x;y);z. The ruloids for L and R are: 

x— >x x^,y^-y x -**,y >• z 

L^{x'-y);z L4/;z l4z' " (4) 

R^xf;(y;z) «4/;z R^z' 

where we write x -/» in the antecedents of ruloids as a shorthand for x A (\/b G Act). 

Remark 3.1 Note that the set Rq(D[5c\) of ruloids for a context D[x) in a GSOS language G may contain 
junk ruloids even when G has no junk rule. For example, consider the GSOS language with constants a 
and 0, unary operation g and binary operation / with the following rules. 

x—>x,y—>y x -/> 



None of the above rules is junk. However, the only ruloid for the context f(x,g(x)) is 



a r a 
X T X , X i 1 & 



f(x,g(x)) Ao 

which is junk. However, junk ruloids can be removed from the set of ruloids for a context using Theo- 



rem 2. 1 In what follows, we shall assume that the set of ruloids we consider have no junk ruloids. 



In the standard theory on GSOS, it was not necessary to pay much attention to the variables in rules 
and ruloids, as one was only interested in the transition relation they induced over closed terms. (In the 
terminology of [18], all the variables occurring in a GSOS rule/ruloid are not free.) Here, however, we 
intend to use ruloids as abstract transitions between open terms. In this framework it becomes desirable 
to give a more reasoned account of the role played by variables in ruloids, as the following example 
shows. 
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Example 3.2 Consider a GSOS language G containing the unary operations / and g with the following 
rules. 



a a 

x — > y x — > z 



fix) A y g(x) A z 

It is easy to see that Bisim(G) |= f(x) = g(x), regardless of the precise description of G. However, in 
order to prove this equality, any bisimulation-like equivalence relating open terms in T(£g) would have 
to relate the variables y and z in some way. Of course, this will have to be done carefully, as y and z are 
obviously not equivalent in any nontrivial language. 

As the above-given example shows, in order to be able to prove many simple equalities between open 
terms, it is necessary to develop techniques which allow us to deal with the target variables in ruloids in 
a reasonable way. In particular, we should not give too much importance to the names of target variables 
in ruloids. 

Definition 3.3 [Valid Ruloids] Let G be a GSOS language and P G T(I G ). We say that a ruloid p = 
pap, is valid for P iff there exist p' G Rg{P) an d an injective map a : TV(p') — > (Var — SV(p)) such 
that p is identical to p'd. 

For example, it is immediate to notice that the rules 

a a 

x — > z. x—ty 



f(x)->z g(x)->y 

are valid for the contexts f(x) and g(x) in the above-given example. Note, moreover, that each ruloid in 
Rg(P) is a valid ruloid for P. 



The following lemma states that, if p' is obtained from p as in Definition 3.3 then p and p' are, in a 
sense, semantically equivalent ruloids. 

Lemma 3.1 Let G = (Lg,Rg) De a GSOS language and P G TT(Eg)- Assume that p is a valid ruloid for 
P because p = p'a for some p' G Rg(P) an d injective a : TV(p') — > Var — SV(p). Then: 

1. p is sound for —*g\ 

2. Supp(p) = Supp(p'), where, for a GSOS rule/ruloid p, Supp(p) denotes the set of transitions 
supported by p. 



The set of valid ruloids for a context P is infinite. However, by Theorem 3.1 we can always select a finite 
set of valid ruloids for P which is sound and supporting for it. We will often make use of this observation 
in what follows. 



4 A Logic of Transition Formulae 



The set of ruloids associated with an open term P in a GSOS language characterizes its behaviour in 
much the same way as GSOS rules give the behaviour of GSOS operations. In fact, by Theorem 3.1 
every transition from a closed term of the form Pa can be inferred from a ruloid in Rg{P)- 
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The antecedents of ruloids give the precise conditions under which ruloids fire. When matching 
ruloids in the definition of the bisimulation-like relation between open terms that we aim at defining, we 
will let a ruloid p be matched by a set of ruloids / only if the antecedents of p are stronger than those of 
the ruloids in J, i.e., if whenever p can fire under a substitution a, then at least one of the ruloids in / 
can. In order to formalize this idea, we will make use of a simple propositional logic of initial transition 
formulae. 

We define the language of initial transition formulae to be propositional logic with propositions of 
the form x — h Formally, the formulae of such a logic are given by the following grammar: 

F ::= True | x A \->F\Ff\F . 

As usual, we write False for -True, and FVF' for -i(-iF A -<F'). 

Let G be a GSOS language. A G-model for initial transition formulae is a substitution a of processes 
(closed Zc-terms) for variables. We write — >q, a |= F if the closed substitution a is a model of the initial 
transition formula F. The satisfaction relation |= is defined by structural recursion on F in the obvious 
way. In particular, 

— >g,o\=x— > iff a(x) — >g p, for some p . 

The reader familiar with Hennessy-Milner logic |[20l will have noticed that the propositions of the form 
x A correspond to Hennessy-Milner formulae of the form (a) True. If H is a set of positive or negative 
transition formulae {e.g., the hypotheses of a rule or ruloid), then hyps(//) is the conjunction of the 

corresponding initial transition formulae. For example, hyps( A y,z ~^}) = ( x A->(z A). If J is a 
finite set of ruloids, we overload hyps(-) and write: 

hyps(7) 4 V hyps(ante(p')) . (5) 

p'eJ 

The semantic entailment preorder between initial transition formulae may be now defined in the standard 
way; for formulae F,F', we have \= G F => F' iff every substitution that satisfies F must also satisfy F'. 

In the remainder of this paper, we will use the semantic entailment preorder between transition for- 
mulae in our test for equivalence of open terms to characterize the fact that if one ruloid may fire, then 
some other may do so too. Of course, in order to be able to use the entailment preorder between transition 
formulae in our test for open equalities, we need to able to check effectively when |= G F => F' holds. 
Fortunately, the semantic entailment preorder between formulae is decidable, as the following theorem 
shows. 

Theorem 4.1 Let G be a GSOS language. Then for all formulae F and F', it is decidable whether 
\= G F => F' holds. 



Theorem 4. 1 tells us that we can safely use semantic entailment between formulae in our simple propo- 
sitional language in the test for the validity of open equations in GSOS languages which we will present 
in what follows. 



5 Rule-matching Bisimulation 



We will now give a method to check the validity of equations in the algebra Bisim(G) based on a vari- 
ation on the bisimulation technique. Our approach has strong similarities with, and is a sharpening of, 
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FH-bisimulation, as proposed by de Simone in ||33l |34|| . (We remark, in passing, that FH-bisimilarity 
checking has been implemented in the tool ECRINS Ifl4ll24l .) 

Definition 5.1 [Rule-matching Bisimulation] Let G be a GSOS language. A relation CTT(£ G ) x T(Eg) 
is a rule-matching bisimulation if it is symmetric and P Q implies 

H 

for each ruloid — „ — ; in the ruloid set of P, there exists a finite set J of valid ruloids for Q such that: 

p4p' 

1. For every p' = — ^ — G J, we have: 

(a) a' = a, 

(b) p' « e', 

(c) (TV(p') U TV(p)) n (SV(p) U SV(p')) = and 

(d) if y G TV(p)nTV(p'), thenx4.y G HnH' for some source variable x G SV(p)nSV(p') 
and action b. 

2. |= G hyps(p) =>• hyps(7). 

We write P o G M Q if there exists a rule-matching bisimulation m relating P and <2. We sometimes refer 
to the relation ±±™ as rule-matching bisimilarity . 



Note that, as the source and target variables of GSOS rules and ruloids are distinct, condition lc is equiv- 
alent to TV(p) n SV(p') = and TV(p') n SV(p) = 0. Moreover, o G M is just standard bisimilarity 
over closed terms. 

Of course, the notion of rule-matching bisimulation is reasonable only if we can prove that it is sound 
with respect to the standard extension of bisimulation equivalence to open terms. This is the import of 
the following theorem. 

Theorem 5.1 [Soundness] Let G be a GSOS language. Then, for all P, Q G TT(E G ), P o G M Q implies 
Bisim(G) \=P = Q. 

The import of the above theorem is that, when trying to establish the equivalence of two contexts P and 
Q in a GSOS language G, it is sufficient to exhibit a rule-matching bisimulation relating them. A natural 
question to ask is whether the notion of rule-matching bisimulation is complete with respect to equality 
in Bisim(G), i.e. whether Bisim(G) |= P = Q implies P ±± RM Q, for all P,Q G T(£ G )- Below, we shall 
provide a counter-example to the above statement. 

Example 5.1 Consider a GSOS language G consisting of a constant (a + b) m with rules 



(a + b) w A (a + b) a (a + b) m \ (a + b) m 
and unary function symbols /, g, h and i with rules 

a b a b a b a, 

x^y h x^-y 2 x^y u x^y 2 x^yi,x^y 2 x->yi 

h(x) 4 f(x) i(x) 4 g(x) f{x) 4 f{x) g(x) 4 g(x) 



First of all, note that no rule in G is junk as the hypotheses of each of the above rules are satisfiable. 
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We claim that Bisim(G) |= h(x) = i(pc). To see this, it is sufficient to note that, for all p G T(Eg), 

h{p)Ar 44> p A, p A, c = a and r = f(p) and 
i(p)4r 44> p A, p A, c = a and r = g{p) . 

Moreover, for a term p such that a,b G init(p), it is immediate to see that /(p) ±±g(p) as both these 
terms can only perform action a indefinitely. 

However, h(x) and i{x) are mo? rule-matching bisimilar. In fact, in order for h(x) j± RM i(x) to hold, it 
must be the case that f{x) -f-)-™ g(x). This does not hold as the unique rule for g(x) cannot be matched 

by the rule for f(x) because (x A) =4> (x A A x A). Take, e.g., a closed substitution a such that 
o(x) =h((a + b) a ). 

Intuitively, the failure of rule-matching bisimulation in the above example is due to the fact that, in 
order for Bisim(G) |= h(x) = i{x) to hold, it is sufficient that f(p) and g(p) be bisimilar for those terms 
p which enable transitions from h(p) and i(p), rather than for arbitrary instantiations. 



Note that the equation discussed in Example [571] is valid in each disjoint extension of the GSOS language 
considered there. In the following section we will provide examples that will, hopefully, convince our 
readers that rule-matching bisimulation is a tool which, albeit not complete, can be used to check the 
validity of many interesting equations. 

It is natural to ask oneself at this point whether rule-matching bisimilarity is preserved by taking 
disjoint extensions, i.e., whether an equation that has been proven to hold in a language G using rule- 
matching bisimilarity remains sound for each disjoint extension of G. The following example shows that 
this is not the case. 

Example 5.2 Consider a GSOS language G consisting of a constant a a with rule a m A a m and unary 
operations / and g with the following rules. 

a i a i 

x —7- x y — > y 

mAf{x) g(y) A g(y) 

First of all, note that no rule in G is junk as the hypotheses of each of the above rules are satisfiable. 

We claim that Bisim(G) |= f(x) = g(y). To see this, it is sufficient to note that each closed term in 
the language is bisimilar to a a . Moreover, /(x) ±±™ g(y) holds because the formulae x — > and y — > are 
logically equivalent in G. On the other hand, consider the disjoint extension G' of G obtained by adding 
the constant with no rules to G. In this disjoint extension, f{x) ±±™ g(y) does not hold because x — >• 
does not entail y A. 

However, rule-matching bisimilarity in language G is preserved by taking disjoint extensions if the lan- 
guage G is sufficiently expressive in the sense formalized by the following result. 

Theorem 5.2 Let G be a GSOS language such that /m'f(T(E G )) = 2 Act . Then, for all P,Q G T(E G ), 
P±±G M Q implies BISIM(G) \= P = Q. 

Proof: The proof of Theorem |5TT] can be replayed, making use of the observations that for each disjoint 
extension G' of G, the collection of ruloids in G' for a La-term P coincides with the collection of ruloids 
for P in G. Moreover, in light of the proviso of the theorem, |= G F => F' iff \= G , F => F', for all formulae 
FandF'. □ 
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A conceptually interesting consequence of the above result is that, when applied to a sufficiently expres- 
sive GSOS language G, rule-matching bisimilarity is a proof method that is, in some sense, monotonic 
with respect to taking disjoint extensions of the original language. This means that rule-matching bisim- 
ilarity can only prove the validity of equations in G that remain true in all its disjoint extensions. A 
similar limitation applies to the proof methods presented in, e.g., Il34ll35l . 



6 Examples 

We shall now present some examples of applications of the 'rule-matching bisimulation technique'. In 
particular, we shall show how some well known equations found in the literature on process algebra can 
be verified using it. 



Associativity of Sequencing Let G be any GSOS language containing the sequencing operation spec- 
ified by ([3]). Let R[x, y,z] = x; (y;z) and L[x,y,z\ = (x;y);z. The ruloids for these two contexts were given 
in@. 

Consider the symmetric closure of the relation 

« = {(R[x,y,z],L[x,y,z\) \x,y,zE Var}U</ 

where J? denotes the identity relation over TT(Eg)- By Theorem |5.1| to show that the contexts L and R 
are equivalent, it is sufficient to check that what we have just defined is a rule-matching bisimulation. In 
particular, we need to check the correspondence between the ruloids for these contexts (which is the one 
given in Q), and then check that the targets are related by The verification of these facts is trivial. 
Thus we have shown that sequencing is associative in any GSOS language that contains the sequencing 
operation. 

The associativity proofs for the standard parallel composition operators found in e.g. ACP, CCS, 
SCCS and Meue, and for the choice operators in those calculi follow similar lines. 



Commutativity of Interleaving Parallel Composition Many standard axiomatizations of behavioural 
equivalences in the literature cannot be used to show that, e.g., parallel composition is commutative and 
associative. We will now show how this can be easily done using the rule-matching bisimulation tech- 
nique. We will exemplify the methods by showing that the interleaving parallel composition operation ||| 
|2TI is commutative. 

We recall that the rules for ||| are (one pair of rules for each a G Act): 

a 1 a 1 

x->x y->y 

(6) 



xjy^x'Wy x\\y^x\\y 



The ruloids for the contexts x ||| y and y ||| x given by Theorem 3. 1 are the following ones (one pair of 
ruloids for each a G Act). 



a 1 a 1 

x — >■ x y^-y 



x\\yAx>\\y x\\yAx\\y 
yjxAyjx' y\ix^y\\x 

It is now immediate to see that the relation {(x ||| y,y ||| x) \ x,y G Var} is a rule-matching bisimulation in 
any GSOS language that includes the interleaving operator. In fact, the correspondence between the 
ruloids is trivial and the targets are related by the above relation. 
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Fix a partial, commutative and associative function y : Act x Act — 1 Act, which describes 
the synchronization between actions. The || operation can be described by the rules (for all 
a,b,c G Act): 



a j a 1 a , b , 



y(a,b) 



x\\yU\\y A\y^A\y' x\\ y ^x'\\ y ' 

Figure 1: The rules for || 

De Simone's Clock Example In his seminal paper ll34l . de Simone presents a bisimulation based 
technique useful for proving open equations between contexts specified using the so-called de Simone 
format of operational rules. On page 260 of that paper, de Simone discusses two examples showing 
that there are valid open equalities between contexts that his technique cannot handle. Below, we shall 
discuss a variation on one of his examples, the clock example, which maintains all the characteristics 
of the original one in ll34l . showing how rule-matching bisimulations can be used to check the relevant 
equalities. 

Suppose we have a GSOS language which includes parallel composition with synchronization, ||, 
described by the rules in Figure[T| the interleaving operation, ||| , described by the rules ([6]), and a constant 
^Act (the clock over the whole set of actions in de Simone's terminology) with rules 

Q. Act A £l Act (a G Act) . 

Consider the contexts C[x] = x\\Q.& ct and D[x] = x ||| ^Act- We do have that, regardless of the pre- 
cise description of G, the terms C[x], D[x] and ^Act are all equal in Bisim(G). This can be eas- 
ily shown by establishing that the symmetric closures of the relations {(C [/?],£! Act) I P G T(£g)} and 
{(D{p],Q.& ct ) j p G T(£g)} are bisimulations. However, as argued in l34l . de Simone's techniques based 
on FH-bisimilarity cannot be used to establish these equalities. We can instead show their validity using 
our rule-matching bisimulation technique as follows. 

First of all, we compute the ruloids for the contexts C[x] and D[x]. These are, respectively, 

X X X — > X 

——a — — (flGAct) ^ (aGAct) r 3c G Act : Y(a,c) = b 

C[x]^C[x] K ' C[x]^C[x'] K ' C[x]\c[x'] A ' 

and 

a 1 
x — > x 

——a — (a G Act) 7 . (a G Act) . 

D[x] A D[x] V ' D[x] 4 D[x'} V ' 

Now, it can be easily checked that the symmetric closure of the relation 

{ (C [jc] , D [z] ) , (C [jc] , n Act ) , (D [x] , n Act ) I x, z G Var} 

is a rule-matching bisimulation. The point is that any ruloid for C[x] can be matched by an axiom for 
D[z], and, vice versa, any ruloid for D[z] can be matched by an axiom for C[x}. This is because it is 
always the case that |= (x A) =^ True for x G Var. 
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7 Partial Completeness Results 

In previous sections, we showed that the rule-matching bisimulation technique, albeit not complete in 
general, can be used to prove several important equations found in the literature on process algebras. In 
particular, the soundness of all the equations generated by the methods in [2] can be proven by exhibiting 
appropriate rule-matching bisimulations. A natural question to ask is whether there are some classes 
of contexts for which rule-matching bisimulations give us a complete proof technique for establishing 
equality between contexts. One such class of contexts is, of course, that of closed terms, as rule-matching 
bisimilarity coincides with bisimilarity over processes. 

Below we will present another partial completeness result, this time with respect to a class of contexts 
that we call 'persistent'. 

Definition 7.1 Let G be a GSOS language and P G T(Zg)- We say that P is persistent iff each ruloid in 
Rg{P) is of the form -^-^ for some a G Act. 

Thus persistent contexts are terms that test their arguments, perform actions according to the results of 
these tests, and then remain unchanged. 

Theorem 7.1 [Completeness for Persistent Contexts] Let G be a GSOS language. Then Bisim(G) |= 
P = Q iff p o RM Q, for all persistent P, Q G TT(r G )- 

We now proceed to introduce another class of operations for which rule-matching bisimilarity yields a 
complete proof method. 

Definition 7.2 [Non-inheriting Rule] A GSOS rule of the form ([I]) is non-inheriting if none of the vari- 
ables in x, namely the source variables in the rule, occurs in the target of the conclusion of the rule 
C[x,3?j . A GSOS language is non-inheriting if so is each of its rules. Non-inheriting de Simone rules and 
languages are defined similarly. 

Theorem 7.2 Let G be a non-inheriting GSOS language that, for each P G TT(£g) an d c G Act, contains 
at most one ruloid for P having c G Act as action. Let G' be the disjoint extension of G obtained by 
adding to G the operations and rules of the language BCCSP | T71 1261 with Act as set of actions. Let P 
and Q be terms over S G . Then Bisim(G') \=P = Q implies P W®f Q. 

A minor modification of the proof for the above result yields a partial completeness result for a class of 
de Simone systems. 

Theorem 7.3 Let G be a non-inheriting de Simone language that, for each / G Tg an d c G Act, contains 
at most one rule having / G Eg as principal operation and c G Act as action. Let G' be the disjoint 
extension of G obtained by adding to G the constant and the Act-labelled prefixing operations from the 
language BCCSP lTT7ll26ll . Let P and Q be terms over E G . Then Bisim(G') \= P = Q implies P o£f Q. 

For instance, the above theorem yields that rule-matching bisimilarity can prove all the sound equations 
between terms constructed using variables and the operations of restriction and injective relabelling from 
CCS [26 ] and synchronous parallel composition from CSP IT2T1 . 
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8 Related and Future Work 

The development of general methods for proving equivalences between open terms in expressive process 
calculi is a challenging subject that has received some attention since the early developments of the 
algebraic theory of processes — see, e.g., the references lTT2l l23l l32l l34l l35l for some of the work in this 
area. De Simone's FH-bisimilarity [34] represents an early meaningful step towards a general account 
of the problem, presenting for the first time a sound bisimulation method in place of the usual definition 
which involves the closure under all possible substitutions. Our method relies mainly on the concepts 
underlying FH-bisimilarity and it is a refinement of that notion in the more expressive setting of GSOS 
languages. (See de Simone's 'Clock Example' discussed on page[[2| where FH-bisimilarity fails while 
±± RM succeeds.) 

Later Rensink addressed the problem of checking bisimilarity of open terms in [ 32 ] , where he pre- 
sented a natural sharpening of de Simone's FH-bisimilarity. His extension of FH-bisimilarity is or- 
thogonal to ours and provides another method to check equivalences between open terms that is more 
powerful than the original FH-bisimilarity. Rensink defined a new notion of bisimulation equivalence, 
called hypothesis preserving bisimilarity, that adds to FH-bisimilarity the capability to store some kind 
of information about the variable transitions during the computation. 



To explain the import of hypothesis preserving bisimilarity we can look at Example 5. 1 We note that 
±± fails to establish the sound equation h(x) = i(x) because at the second step of the computation some 
knowledge about the transitions of the closed term p substituted for x is already established (indeed, at 
that point we know that p performs a ^-transition, since this has been tested at the first step). Nevertheless, 
when comparing f(x) and g(x), rule-matching bisimulation behaves in memoryless fashion and ignores 
this information. Rensink's hypothesis preserving bisimilarity takes into account the history and this 
is enough to overcome the difficulties in that example and analogous scenarios. Adding this feature to 
±± RM would lead to a more powerful rule-matching equivalence; we leave this further sharpening for 
future work together with extensions of ±± RM to more expressive rule formats. 

Recently, van Weerdenburg addressed the automation of soundness proofs in ll35l . His approach 
differs from the one in 11321 l34l and ours since he translates the operational semantics into a logical 
framework. In such a framework, rules are encoded as logical formulae and the overall semantics turns 
out to be a logical theory, for which van Weerdenburg provides a sequent calculus style proof system. 
In the aforementioned paper, he offers some examples of equivalences from the literature that can be 
proved using his method in order to highlight its applicability. However, even though the ultimate aim 
of the research described in ||35ll is the automation of soundness proofs, van Weerdenburg 's system 
presents some drawbacks. The main point is that the user is not only required to provide the operational 
semantics and the equation to check (together with the standard encoding of bisimilarity), but he must 
also provide a candidate bisimulation relation that can be used to show the validity of the equation under 
consideration together with all the axioms that are needed to complete the proof. The user is supposed 
thus to have a clear understanding of what the proof is going to look like. This seems to be a general and 
inescapable drawback when approaching the problem of checking equations through a translation into a 
logical system. 

Despite the aforementioned slight drawback, the approach proposed by van Weerdenburg is, however, 
very interesting and complements the proposals that are based on the ideas underlying de Simone's FH- 
bisimilarity, including ours. We believe that an adequate solution to the problem of automating checks 
for the validity of equations in process calculi will be based on a combination of bisimulation-based and 
logical approaches. 

A related line of work is the one pursued in, e.g., the papers fl] [13] I2H- Those papers present 
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rule formats that guarantee the soundness of certain algebraic laws over a process language 'by design', 
provided that the SOS rules giving the semantics of certain operators fit that format. This is an orthogonal 
line of investigation to the one reported in this article. As a test case for the applicability of our rule- 
based bisimilarity, we have checked that the soundness of all the equations guaranteed to hold by the 
commutativity format from [28] can be shown using ±± RM . We are carrying out similar investigations for 
the rule formats proposed in |[Tl [T3ll . 

Another avenue for future research we are actively pursuing is the search for more, and more gen- 
eral, examples of partial completeness results for rule-matching bisimulation over GSOS and de Simone 
languages. Indeed, the partial completeness results we present in Section [7] are just preliminary steps 
that leave substantial room for improvement. Last, but not least, we are about to start working on an 
implementation of a prototype checker for rule-matching bisimilarity. 
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